fix: Support corporate TLS for Anthropic (NODE_EXTRA_CA_CERTS)#27
Open
petre wants to merge 1 commit intoknostic:masterfrom
Open
fix: Support corporate TLS for Anthropic (NODE_EXTRA_CA_CERTS)#27petre wants to merge 1 commit intoknostic:masterfrom
petre wants to merge 1 commit intoknostic:masterfrom
Conversation
petre
requested review from
ar7casper,
dgeyshis,
shahar-davidson,
sounil and
yotamleo
as code owners
petre
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenAnt’s Python code calls Anthropic over HTTPS. On networks with TLS inspection (e.g. Zscaler), the proxy uses a certificate chain signed by a corporate CA that is not in the default trust store. Node and Claude Code commonly work because operators set
NODE_EXTRA_CA_CERTSto a PEM file containing that CA. This PR makes the Anthropic Python client honor the same variable and documents it in the root README.Changes
libs/openant-core/utilities/anthropic_http.py(new): Builds anhttpxclient for the Anthropic SDK using the Mozilla CA bundle via certifi, then loadsNODE_EXTRA_CA_CERTSso trust matches “public CAs + corporate root”.VERIFY_X509_STRICTwhen using the extra PEM so corporate intercept CAs that omit critical Basic Constraints still verify (avoids false failures vs typical Node behavior).create_anthropic_client()so all LLM paths share the same TLS behavior.core/analyzer.py: FixNameError: definetrackerviaget_global_tracker()beforeadd_prior_usagewhen restoring checkpoint usage.core/scanner.py: Report failures log the full exception chain (underlying SSL/connection errors), not only Anthropic’s generic “Connection error.”libs/openant-core/pyproject.toml: Declarecertifiexplicitly (imported for the trust bundle).README.md: ShortNODE_EXTRA_CA_CERTSnote for users behind HTTPS inspection.How to test
Using the
openantCLI (typical): configure a key withopenant set-api-key …, or passopenant scan --api-key '…'.Behind TLS inspection: also
export NODE_EXTRA_CA_CERTS=/path/to/corporate-root.pem(same PEM many teams use for Node / Claude Code).